Apr 12, 2011 10:17:00 AM
Forefront Endpoint Protection Command Line Interface Tasks

If you should ever need to administer a local FEP client through CLI you’re going to need to make use of MpCmdRun.exe. This program can be found in the “C:\Program Files\Microsoft Security Client\Antimalware” directory. MpCmdRun has several important functions; in this post we’ll be discussing some of the more useful options.

First there is the “–Scan” option, this could be useful if you’re troubleshooting a system that is not allowing you access to the FEP client GUI. You’ll also need to enter a parameter for which type of scan you would like to have the client perform:

1. Quick scan

2. Full system scan

3. Single file custom scan

Next, we’ll take a look at the –RemoveDefinitions option. Although Microsoft has never put out a bad definition, if you should ever need to roll back to a previous FEP definition, using the command MpCmdrun –RemoveDefinitions, would be the way to do it. This would force the client to roll back to the previous version of its defs. FEP actually stores up to 3 previous versions of its definition files.

Lastly, I’ll discuss SignatureUpdate. This option not only gives you the ability to force a definition update from the command line, it could also let you define where the client will pull the update from. This could be very useful in a situation where your SUP or WSUS site has gone down and you want to ensure your clients are still updating without having to make a change to your FEP policies. To instruct the client to pull from a UNC file share use the [-UNC] switch, or to have a client pull a def over the web from the Microsoft Malware Protection Center use the [-MMPC] switch. If you needed to, you could easily create a script or batch file to make use the –SignatureUpdate option.

For a full list of all the options that MpCmdRun can utilize enter “MpCmdRun.exe ?” in your CMD window.